SaltStack Windows Playbooks
I wanted to start topic that hopefully will be always updated and kinda pinned, listing all the guides and neat stuff we can do with saltstack, I use it to manage Windows clients mostly, so for me this will be like Active Directory replacement show case.
Want to hear your feedback and correct me if you see room for improvements, and share ideas as well.
This will not cover setting up Salt, just the techniques which I call playbooks (I know taken from Ansible).
Sophos Virus Removal Tool:
Upload sohpos folder to salt master and send to clients
salt '*' cp.get_dir salt://sophos/ c:/salt
Run sophos silently and delete the temp files prior:
salt '*' cmd.run 'del /q/f/s %TEMP%\*'
salt '*' cmd.run '"c:/salt/sophos/SVRTcli.exe" -yes -reboot'
To view the log file, you can read this file:
salt '*' cmd.run 'type "C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log"'
To clean the log file:
salt '*' cmd.run 'del /q/f/s "C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\*"'
Other Command line options:
-debug Display extra logging information.
-help Display this text help.
-noupdate Don't download updates when the tool starts.
-preview Don't do disinfection/cleanup.
-reboot Reboot automatically if required for cleanup.
-reset Remove any pending cleanup on reboot operations.
-uninstall Uninstall after scan and cleanup is complete.
-yes Don't ask for confirmation before cleanup.
You can create state file and schedule it in cron as well:
Create sophos.sls in /srv/salt with:
push_sophos_av_files: file.recurse: - source: salt://sophos - name: 'c:\salt\sophos' - makedirs: True cmd.run: - name: 'c:\salt\sophos\state.cmd'
Then schedule the below command in crontab (VISUAL=nano crontab -e) to run every 2 hours:
0 */2 * * * salt '*' state.apply sophos
And in the state.cmd file put your command.
Windows Local Group Policy:
controlling Updates + screenwallpaper
Create lgpo.sls in /srv/salt with:
Company Local Group Policy: lgpo.set: - computer_policy: Configure Automatic Updates: Configure automatic updating: 4 - Auto download and schedule the install Scheduled install day: 5 - Every Thursday Scheduled install time: "16:00" - user_policy: Do not process the legacy run list: Enabled Desktop Wallpaper: Wallpaper Name: C:\salt\wallpaper.jpg WallpaperStyle: Fill Run myscript: cmd.run: - name: gpupdate.exe /force
Then schedule the below command to run “every 30 mins.”
*/30 * * * * salt '*' state.apply lgpo
This location: C:\Windows\PolicyDefinitions
has the adm files that you can view for trouble-shooting.
Windows 10 Configure Automatic Updates differs from Windows 7, so if you have environment with both Win7 and Win 10 your screwed, you need to create different setting for both some times, for example this update setting will work on Windows 7 but Windows 10 will report error missing value you need to add and I forgot what it is, and if you add it, Windows 7 machines wont work.
Sometimes the response will be invalid, however the policy will work, to verify use one of the below:
salt '*' lgpo.get user # By default shows only configured policies salt '*' lgpo.get machine salt '*' lgpo.get machine return_not_configured=True salt '*' lgpo.get_policy_info 'Maximum password age' machine salt '*' lgpo.get_policy_info 'Desktop Wallpaper' user
Download ccleaner portable and check items you want to clear on clients, then Upload ccleaner folder to salt master and send to clients:
salt '*' cp.get_dir salt://ccleaner/ c:/salt
Run ccleaner silently as well as delete the temp files and recycle bin prior:
salt '*' cmd.run 'del /q/f/s %TEMP%\*' salt '*' cmd.run 'rd /s /q %systemdrive%\$Recycle.bin' salt '*' cmd.run '"c:/salt/ccleaner/CCleaner.exe" /AUTO'
Dashrender last edited by
Add some tags to the OP.
Will make it easier to find in the future.
SaltStack control power settings for Windows machines, you can control via the below commands, you need to create state file with the below:
monitor: powercfg.set_timeout: - value: 30 - power: ac disk: powercfg.set_timeout: - value: 30 - power: ac standby: powercfg.set_timeout: - value: 0 - power: ac hibernate: powercfg.set_timeout: - value: 0 - power: ac
You can also get those information, and not apply rules by replacing set with get, for example: get_disk_timeout
Then schedule the below command in crontab (VISUAL=nano crontab -e) to run
*/30 * * * * salt '*' state.apply power_ac
*/30 * * * * salt '*' state.apply power_dc
It is good to apply this prior to windows update, or virus scan command.
Fix Windows Time :
Get list of configured NTP servers
salt '*' ntp.get_servers
Set Windows to use a list of NTP servers
salt '*' ntp.set_servers 'pool.ntp.org'
salt '*' system.get_system_date
salt '*' system.get_system_time
Make sure the Windows Time Service is running and set to automatic startup.
salt '*' system.start_time_service
salt '*' system.stop_time_service
After setting ntp, ensure Timezone is correct as well:
salt '*' timezone.set_zone 'Asia/Amman' salt '*' system.set_system_date '03-28-13' salt '*' system.set_system_time "'14:16 +0300'" # (if set using NTP it wont work) salt '*' system.set_system_time "'+0300'" # (if set using NTP it wont work)
My Favorite Ultra-VNC setup:
Not all issues can fixed from command line alas, thus this recipe:
uvnc: file.recurse: - source: salt://uvnc - name: 'c:\salt\uvnc' - makedirs: True cmd.run: - name: 'c:\salt\uvnc\state.cmd' module.run: - name: firewall.disable
remeber to re-enable the firewall of the client when finished. (salt "client" firewall.enable)
you will need to create uvnc folder (get it from UltraVNC portable builds) folder in your Salt master, in /srv/salt
in it :
SecureVNCPlugin32.dsm (Optional Encryption plugin)
Server_ClientAuth.pubkey (Optional Encryption server SSL handshake check)
And in the state.cmd put the following:
taskkill /f /im winvnc.exe sc stop uvnc_service sc delete uvnc_service "c:\salt\uvnc\winvnc.exe" -install "c:\salt\uvnc\winvnc.exe" -startservice sc config uvnc_service start= demand ipconfig | findstr /i "ipv4"
And whenever you want to connect to client, run this in salt master:
salt '172' state.apply uvnc
And you will see the IP of the client, you will need to match the IP and if you made any custom setting like port number/encryption plugin with vnc viewer and connect to client.